bpf,selinux: allocate bpf_security_struct per BPF token (36fb9494) · Commits · git / linux-net

security/selinux/hooks.c

+25 −0

Original line number	Diff line number	Diff line
		@@ -6828,6 +6828,29 @@ static void selinux_bpf_prog_free(struct bpf_prog *prog)
		prog->aux->security = NULL;
		kfree(bpfsec);
		}

		static int selinux_bpf_token_create(struct bpf_token token, union bpf_attr attr,
		struct path *path)
		{
		struct bpf_security_struct *bpfsec;

		bpfsec = kzalloc(sizeof(*bpfsec), GFP_KERNEL);
		if (!bpfsec)
		return -ENOMEM;

		bpfsec->sid = current_sid();
		token->security = bpfsec;

		return 0;
		}

		static void selinux_bpf_token_free(struct bpf_token *token)
		{
		struct bpf_security_struct *bpfsec = token->security;

		token->security = NULL;
		kfree(bpfsec);
		}
		#endif

		struct lsm_blob_sizes selinux_blob_sizes __ro_after_init = {
		@@ -7183,6 +7206,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
		LSM_HOOK_INIT(bpf_prog, selinux_bpf_prog),
		LSM_HOOK_INIT(bpf_map_free, selinux_bpf_map_free),
		LSM_HOOK_INIT(bpf_prog_free, selinux_bpf_prog_free),
		LSM_HOOK_INIT(bpf_token_free, selinux_bpf_token_free),
		#endif

		#ifdef CONFIG_PERF_EVENTS
		@@ -7241,6 +7265,7 @@ static struct security_hook_list selinux_hooks[] __ro_after_init = {
		#ifdef CONFIG_BPF_SYSCALL
		LSM_HOOK_INIT(bpf_map_create, selinux_bpf_map_create),
		LSM_HOOK_INIT(bpf_prog_load, selinux_bpf_prog_load),
		LSM_HOOK_INIT(bpf_token_create, selinux_bpf_token_create),
		#endif
		#ifdef CONFIG_PERF_EVENTS
		LSM_HOOK_INIT(perf_event_alloc, selinux_perf_event_alloc),